On March 29, 2024, Andreas Freund posted a backdoor warning to the public oss-security@openwall mailing list. The backdoor targets the liblzma library, part of the xz compression package. Many open source (and likely commercial) software systems incorporate this library, critical among them the Secure Shell Daemon (sshd). Virtually every Linux-based host worldwide ships with sshd, as it is the standard mechanism to allow secure remote logins. Many non-Linux systems support sshd as well.
Further analysis of the exploit and an ongoing effort to maintain a timeline of events surrounding it suggest that the attacker’s goal was to allow arbitrary remote code execution on affected hosts with superuser (root) level permissions. This is known as an RCE vulnerability and essentially gives the attacker full access to all resources on the affected system.
Immediately upon learning of this vulnerability, the INKY operations and development teams began assessing potential impact to INKY and INKY customers. Fortunately, the findings show that INKY could not have been affected; here’s why:
INKY uses the Ubuntu Linux distribution for all hosted services. The backdoor patches were never released into the Ubuntu “stable channel” meaning INKY servers would never have incorporated the affected liblzma version. (The affected versions are version 5.6 and 5.6.1; our servers all remain 5.2.4.)
All access to INKY servers that process sensitive customer data (e.g., emails and attachments) is further gated by bastion hosts. Only the bastion host has network connectivity to production servers, and all access to the latter must happen via an extra hop through the former.
Logging in to any INKY bastion host requires the use of a provisioned hardware token. This means that any ssh attempt to the bastion receives a challenge requiring the user to press a button on a physical device (a Yubikey). This in turn prevents anyone without physical possession of one of the handful of authorized tokens from connecting to the bastion.
To further reduce the likelihood of impact from an unknown exploit, INKY upgrades system components and open-source dependencies conservatively; we wait until new versions have been released for some time before upgrading to them. (This helps ensure overall system stability as well, in that bugs discovered soon after a new release won’t affect INKY systems either.)
We will continue to remain vigilant against supply chain attacks like these and will proactively notify customers of any potential impact to INKY systems or customer data.
Fortunately, in this case, we can assure our customers there was no impact from CVE-2024-3094 to INKY or customer data handled by INKY services.